Re: no subject I have a question about putting jsp in web-inf
Keith wrote: Users can't get at anything under web-inf by name. So it stops them running your jsp directly or viewing their source code. They still work because they can be referenced by a Sevlet (ie the struts ActionServlet). (not all servers are the same here). It's a 'rule' for commercial/senstive sites that every reference from the browser is a symbolic ref. (eg. a webapp + a ref. to an entry in struts-config.xml). This stops hackers/spies from viewing js source or even knowing directory names or file names. Looks like paranoia but I guess people have been burned. A few years ago you could get at server directory listing from browsers steal files but these days this also is blocked. It's geting really boring... --- James Mitchell [EMAIL PROTECTED] wrote: Question? What is the point of putting jsp pages in web-inf? Someone please correct me if I am wrong but, If I see a web application URL such as http://www.someweb.com/myapp/web-inf/somedir/mypage.jsp then I can only assume that I can also go to http://www.someweb.com/myapp/web-inf/web.xml or http://www.someweb.com/myapp/web-inf/classes/ (god forbid that you have directory browsing enabled, then I could read your database connection login and passwords (if avaialable, such as poolman.xml) or any of your resource bundle files. Or worse, I could download your .class and .jar files. P.S. Did you actually click on those links? They won't work because I made them up:-) James Mitchell Software Engineer Open-Tools.org Home Phone (770) 822-3359 Cell Phone: (678) 910-8017 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 15, 2002 10:04 AM To: Struts Users Mailing List Subject: no subject depends on where your pages are. If you have them in the root web app dir, use: frameset frame src=myNavigation.jsp frame src=myContent.jsp /frameset If you have it , let's say under root/myjsps, use: frameset frame src=myjsps/myNavigation.jsp frame src=myjsps/myContent.jsp /frameset Having the jsps under WEB-INF doesn't work on some servers WL, for instance. From: Henry Lu Subject: Re: frame page src=? Date: Fri, 15 Feb 2002 05:59:28 -0800 No it doesn't work either. Could you show me a working examples? --- Henry Lu MCITphone: (734) 936-2063 University of Michigan Medical Center fax: (734) 763-4372 On Fri, 15 Feb 2002, Jin Bal wrote: how about src=something.do - Original Message - From: Henry Lu [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, February 15, 2002 1:34 PM Subject: frame page src=? How to specify src path in the frame tag under struts? I did the following and it didn't work src=/WEB-INF/jsp/login/blank.jsp neither src=/do/someting neither src=/jsp/login/blank.jsp Could you show me an example? -- - Henry Lu MCITphone: (734) 936-2063 University of Michigan Medical Center fax: (734) 763-4372 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] __ Seien Sie dabei und sichern Sie sich 100% Leistung, 100% Prmie und 100% Zufriedenheit. Jetzt unter http://club.web.de/?mc=021105 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] Hi you may believe this is wrong albiet i have been briefed that the WEB-INF is accessable if you are running the service under W$ NT thus your classes,jsp and beans etc can be viewed. Apparently NT4 does not know the difference between Web-Inf ,WEB-INF or web-inf . thus this may now have been rectified. Please let me know otherwise. Note Could be the case of careless whispers Cheers Chuck Amadi Systems Programmer. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: no subject I have a question about putting jsp in web-inf
Users can't get at anything under web-inf by name. So it stops them running your jsp directly or viewing their source code. They still work because they can be referenced by a Sevlet (ie the struts ActionServlet). (not all servers are the same here). It's a 'rule' for commercial/senstive sites that every reference from the browser is a symbolic ref. (eg. a webapp + a ref. to an entry in struts-config.xml). This stops hackers/spies from viewing js source or even knowing directory names or file names. Looks like paranoia but I guess people have been burned. A few years ago you could get at server directory listing from browsers steal files but these days this also is blocked. It's geting really boring... --- James Mitchell [EMAIL PROTECTED] wrote: Question? What is the point of putting jsp pages in web-inf? Someone please correct me if I am wrong but, If I see a web application URL such as http://www.someweb.com/myapp/web-inf/somedir/mypage.jsp then I can only assume that I can also go to http://www.someweb.com/myapp/web-inf/web.xml or http://www.someweb.com/myapp/web-inf/classes/ (god forbid that you have directory browsing enabled, then I could read your database connection login and passwords (if avaialable, such as poolman.xml) or any of your resource bundle files. Or worse, I could download your .class and .jar files. P.S. Did you actually click on those links? They won't work because I made them up:-) James Mitchell Software Engineer Open-Tools.org Home Phone (770) 822-3359 Cell Phone: (678) 910-8017 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 15, 2002 10:04 AM To: Struts Users Mailing List Subject: no subject depends on where your pages are. If you have them in the root web app dir, use: frameset frame src=myNavigation.jsp frame src=myContent.jsp /frameset If you have it , let's say under root/myjsps, use: frameset frame src=myjsps/myNavigation.jsp frame src=myjsps/myContent.jsp /frameset Having the jsps under WEB-INF doesn't work on some servers WL, for instance. From: Henry Lu Subject: Re: frame page src=? Date: Fri, 15 Feb 2002 05:59:28 -0800 No it doesn't work either. Could you show me a working examples? --- Henry Lu MCITphone: (734) 936-2063 University of Michigan Medical Center fax: (734) 763-4372 On Fri, 15 Feb 2002, Jin Bal wrote: how about src=something.do - Original Message - From: Henry Lu [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, February 15, 2002 1:34 PM Subject: frame page src=? How to specify src path in the frame tag under struts? I did the following and it didn't work src=/WEB-INF/jsp/login/blank.jsp neither src=/do/someting neither src=/jsp/login/blank.jsp Could you show me an example? -- - Henry Lu MCITphone: (734) 936-2063 University of Michigan Medical Center fax: (734) 763-4372 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] __ Seien Sie dabei und sichern Sie sich 100% Leistung, 100% Prämie und 100% Zufriedenheit. Jetzt unter http://club.web.de/?mc=021105 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: no subject I have a question about putting jsp in web-inf
Question? What is the point of putting jsp pages in web-inf? Someone please correct me if I am wrong but, If I see a web application URL such as http://www.someweb.com/myapp/web-inf/somedir/mypage.jsp then I can only assume that I can also go to http://www.someweb.com/myapp/web-inf/web.xml or http://www.someweb.com/myapp/web-inf/classes/ (god forbid that you have directory browsing enabled, then I could read your database connection login and passwords (if avaialable, such as poolman.xml) or any of your resource bundle files. Or worse, I could download your .class and .jar files. P.S. Did you actually click on those links? They won't work because I made them up:-) James Mitchell Software Engineer Open-Tools.org Home Phone (770) 822-3359 Cell Phone: (678) 910-8017 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 15, 2002 10:04 AM To: Struts Users Mailing List Subject: no subject depends on where your pages are. If you have them in the root web app dir, use: frameset frame src=myNavigation.jsp frame src=myContent.jsp /frameset If you have it , let's say under root/myjsps, use: frameset frame src=myjsps/myNavigation.jsp frame src=myjsps/myContent.jsp /frameset Having the jsps under WEB-INF doesn't work on some servers WL, for instance. From: Henry Lu Subject: Re: frame page src=? Date: Fri, 15 Feb 2002 05:59:28 -0800 No it doesn't work either. Could you show me a working examples? --- Henry Lu MCITphone: (734) 936-2063 University of Michigan Medical Center fax: (734) 763-4372 On Fri, 15 Feb 2002, Jin Bal wrote: how about src=something.do - Original Message - From: Henry Lu [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, February 15, 2002 1:34 PM Subject: frame page src=? How to specify src path in the frame tag under struts? I did the following and it didn't work src=/WEB-INF/jsp/login/blank.jsp neither src=/do/someting neither src=/jsp/login/blank.jsp Could you show me an example? -- - Henry Lu MCITphone: (734) 936-2063 University of Michigan Medical Center fax: (734) 763-4372 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] __ Seien Sie dabei und sichern Sie sich 100% Leistung, 100% Prämie und 100% Zufriedenheit. Jetzt unter http://club.web.de/?mc=021105 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
